Joined: Wed Dec 13, 2006 5:27 amPosts: 3130Location: A little south and a lot west of Moscow

Re: DataRealms Website Malware Warning

As you guys can probably imagine, Data is trying to get these problems (as well as some potentially related server issues) dealt with as soon as possible. It's getting a little difficult, though, since he's also trying to work on the next version of CC at the same time. If anybody is willing to give him a hand, or knows anybody who might, send me (or him) a PM.

Oh hi there. This is the presumably foreign piece of script on the site that I managed to catch.It was in a hidden iframe, with a src of "http://ovalslassostyle.net/111"scriptsrc being "/xSE_dFpCn/xjUVworW?cvgqzt=OL.k_kgz8zX5kO"

Funny obfuscation.It creates strings "eval", "substring", "fromCharCode", "indexOf" and "CharAt" with the variables, and calls them as functions.

I think the starting ifs break the script after it executes, removing it.

As already said, it seems to be happening once per ip or something. The offsite code (called by the obfuscated script) likely hides the script from you once it executes.Or maybe it uses cookies.I caught it with NoScript: it pops a nice big block icon where the invisible iframe resides.

Will check the GET console of Firefox the next time it happens, in hopes of getting a look at the offsite code. I doubt that's how it works, but eh.

So it was getting the evil code from an external site. Time to audit security it seems!

Sun Jun 24, 2012 10:11 pm

Glowsticks

Joined: Sat Jul 10, 2010 5:19 pmPosts: 543

Re: DataRealms Website Malware Warning

So, does this mean DRL users are now part of a botnet, or did I read the last two pages incorrectly?

Sun Jun 24, 2012 11:58 pm

TheLastBanana

DRL Developer

Joined: Wed Dec 13, 2006 5:27 amPosts: 3130Location: A little south and a lot west of Moscow

Re: DataRealms Website Malware Warning

I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay.

I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay.

The last little while being from May 20 onwards.

Tue Jun 26, 2012 7:07 pm

NikolaiLev

Joined: Fri Aug 26, 2011 3:06 amPosts: 42

Re: DataRealms Website Malware Warning

I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch.

I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site.

I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch.

I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site.

Who is online

Users browsing this forum: No registered users

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum